deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
Daniel Simpson c4e79e54fe mega metadata update
2021-10-28 11:16:23 -07:00

2.4 KiB
Raw Blame History

title, description, keywords, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, audience, ms.collection, author, ms.reviewer, ms.author, manager, ms.date, ms.technology
title description keywords ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority audience ms.collection author ms.reviewer ms.author manager ms.date ms.technology
Windows Defender Application Control and .NET Hardening (Windows) Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. security, malware 8d6e0474-c475-411b-b095-1c61adb2bdbb m365-security deploy library security medium ITPro M365-security-compliance jsuther1974 isbrahm dansimp dansimp 09/23/2021 windows-sec

Windows Defender Application Control and .NET hardening

Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. Security researchers have found that some .NET applications may be used to circumvent those controls by using .NETs capabilities to load libraries from external sources or generate new code on the fly. Beginning with Windows 10, version 1803, or Windows 11, WDAC features a new capability, called Dynamic Code Security to verify code loaded by .NET at runtime.

When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.

Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.

Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the ASP.NET Precompilation Overview document for how to fix that.

To enable Dynamic Code Security, add the following option to the <Rules> section of your policy:

<Rule> 
    <Option>Enabled:Dynamic Code Security</Option> 
</Rule>